"High risk": Document shows HHS launched ObamaCare website without end-to-end security testing

Via the WFB, if you watched this morning and were wondering what Mike Rogers was looking at while he was grilling Sebelius on site security, here’s your answer.

The Sept. 27 memo to Medicare chief Marylin Tavenner said a website contractor wasn’t able to test all the security controls in one complete version of the system.

Insufficient testing “exposed a level of uncertainty that can be deemed as a high risk,” the memo said.

The memo recommended setting up a security team to address risks, conduct daily tests, and a full security test within two to three months of going live.

“High risk,” but they launched it anyway. The result: A flaw in the password-reset part of the site that would have made it unusually easy for hackers to fool the site into letting them log on as other users. “This seems really sloppy,” said the IT specialist who uncovered it. The flaw was fixed on Monday night, but it is indeed a bad omen about the rest of the site’s security that something as basic as this went uncorrected for nearly a month. And things might get worse before they get better: Rogers’s point in the clip below isn’t merely that they rushed this thing out without a comprehensive security check, it’s that the ongoing repairs to the site’s functionality could be creating new security holes that they’re not even aware of yet. Even if they ran an end-to-end check now and everything was okay, there could be new flaws a month from now as a result of “fixes” being performed daily by the “tech surge” team. Security experts are worried too:

“A secure software development effort takes time,” [IT-Harvest consultant Richard] Stiennon said, “I am very concerned that a rush job on the Healthcare.gov site will introduce new security vulnerabilities.”…

“In all the coverage (of the glitches) and [at] all the official press conferences, I have heard them talk about how they are going to fix the technical glitches,” [HackSurfer founder Jason] Polancich said. “But I have not heard anyone talk about what they are doing from a cyber defense standpoint or of identifying and fixing vulnerabilities. I have not heard them talk about how they are going to address persistent cyber threats.”…

“Coordinating complex application and infrastructure changes is challenging under the best of circumstances and it’s even worse during a mad scramble,” [TripWire CTO Dwayne] Melancon said. “Haste is the enemy of good security. Security is complex and requires a lot of forethought and planning to be effective, so I’m concerned that trying to scramble and fix things quickly — especially on a live system — will introduce unintended security issues.”

Just another in the endless cascade of problems from their fateful decision to launch on time on October 1. The worse things get, the more mysterious that decision becomes. As embarrassing as it would have been for them to delay the rollout until, say, November 1, it’s minuscule compared to the cumulative embarrassment they’re suffering from a notoriously defective website, a mountain of media coverage about disruptions to the insurance market if people become disaffected and stop trying to enroll, the PR disaster of some sort of major security breach by hackers, etc. The only explanation I can come up with, apart from pure spiteful pride in not handing Republicans an easy “I told you so” by delaying, is that they knew that some critical mass of people with illnesses would persevere and sign up despite all of the problems and that would make it much harder for Republicans to argue later that the entire law should be delayed. That’s the White House’s ultimate goal — not building a site that runs well on the day it’s supposed to debut, not ensuring that the site isn’t a beehive for hackers looking to steal identities, but simply making sure that O doesn’t need to cry “uncle” for six months or a year in his endless political death struggle over ObamaCare with the GOP.

Join the conversation as a VIP Member

Trending on HotAir Video